Now that the federal government is working again, I was wondering: What ever happened to cybersecurity legislation? As far as I can tell the Cybersecurity Act of 2013 (S.1353) and CISPA are dead-in-the-water right now. Why? Edward Snowden and NSA programs put the kybosh on public trust (especially International trust) and Congress has other things it would rather fight about.
While legislation continues to languish, the President's Executive Order continues to progress. Yesterday, NIST released a preliminary version of its cybersecurity framework. With this release, NIST will allow a 45-day period for public comments on the framework. NIST plans to finalize the official guidance in February 2014.
It appears that Congress doesn't believe that cybersecurity action is important enough to move forward while the President has made cybersecurity an Executive priority.
So is federal cybersecurity action required or not? Rather than asking the policy wonks in Washington, ESG decided to query another interested population - security professionals working at enterprise organizations (i.e. more than 1,000 employees). To gauge their overall concern, ESG asked these security pros the following question: How concerned are you (if at all) that some type of massive cyber-attack could impact critical infrastructure, the economy, and/or national security? It appears like this issue creates a lot of angst, 26% of enterprise security professionals are "very concerned," while 59% are "concerned."
Okay, so do enterprise security professionals believe that the U.S. Federal government is doing enough to help the private sector cope with cybersecurity and the current threat landscape? Nope. Twenty percent say, "the U.S. Federal government should be doing significantly more in this area," while 46% claim that, "the U.S. Federal government should be doing somewhat more in this area."
It's also interesting to note that 68% of security professionals working at critical infrastructure organizations believe that the U.S. Federal government should be doing "significantly more," or "somewhat more" in these areas as compared to 59% of security professionals working at non-critical infrastructure firms. So those with security professionals on the front line of cybersecurity conflict are the ones who feel that the government needs to step in. If that's not a call for action, I don't know what is.
It's time for all parties - Democrats and Republicans, Congress and the President, The Beltway and Silicon Valley, and others to listen to security professionals themselves. Let's share data, fund education programs, offer tax incentives, and accelerate Federal cybersecurity initiatives. Based upon the ESG data, enterprise security professionals want this help from Washington.
Sign up for CIO Asia eNewsletters.